Short:
XSLT is applied to XML, and I want to load another XML using document(http://...)from a different domain than XSL and the source XML. I have added CORS headers to the server and it works on Firefox, not Chrome. Why and how to fix it?
Full case:
First I tried a CORS request using the html5Rocks example. So I have an html document in http://localhost/cors.htmlcontaining this code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>
</title>
<script>
function createCORSRequest(method, url)
{
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr)
{
xhr.open(method, url, true);
}
else if (typeof XDomainRequest != "undefined")
{
xhr = new XDomainRequest();
xhr.open(method, url);
}
else
{
xhr = null;
}
return xhr;
}
function go()
{
console.log('go!');
var url = 'http://cors1.localhost/cors-data.xml';
var xhr = createCORSRequest('GET', url);
if (!xhr)
{
throw new Error('CORS not supported');
}
xhr.onload = function()
{
var responseText = xhr.responseText;
var responseXml = xhr.responseXML;
console.log(responseXml);
};
xhr.onerror = function()
{
console.log('There was an error!');
};
xhr.send();
}
document.addEventListener('DOMContentLoaded', go, false);
</script>
</head>
<body>
</body>
</html>
Works fine on firefox: the XHR object sends a CORS request and is handled well by both browsers and servers thanks to the following server .htaccess file.
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "OPTIONS, GET, POST"
Header set Access-Control-Allow-Headers "Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control"
Now I'm testing it on Chrome ... No problem, it works fine too ☺ In both browsers, the console displays the contents of the XHR response (it responseXml), so I assume that the server is configured correctly (right?).
XML :
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="CORS.xsl"?>
<cors source="http://cors1.localhost/CORS-data.xml"/>
XSLT :
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="utf-8" indent="yes"/>
<xsl:template match="/cors">
<xsl:variable name="cors" select="document(@source)/cors"/>
<p>
<xsl:text>CORS-data.xml (</xsl:text>
<a href="{@source}">
<xsl:value-of select="@source"/>
</a>
<xsl:text>): </xsl:text>
<xsl:value-of select="$cors"/>
</p>
</xsl:template>
</xsl:stylesheet>
, XSLT (http://cors1.localhost/CORS-data.xml) (<xsl:value-of select="$cors"/>). Firefox, Chrome, :
Unsafe attempt to load URL http://cors1.localhost/CORS.xsl from frame with URL http://localhost/CORS.xml. Domains, protocols and ports must match.
:
CORS-data.xml (http://cors1.localhost/CORS-data.xml):
() - XML- ( "ok" ) :, .
, file:///, http://. , file:/// XSLT ,
Chrome CORS javascript XHR, XSLT document()? ?